It is happening on WordPress and Joomla sites, but can affect any web site, since they are getting access to sites via stolen passwords. Once in there, they modify the .htaccess file to redirect users to malware domains (and search engines for SEO). In some cases, the code is injected in the index.php file: